New Attacks from ‘Gameover’ Gang

Friday, December 7, 2012 @ 05:12 PM gHale

Millions of emails, which pose as coming from major U.S. banks, are spamming out, according to Dell SecureWorks’ Counter Threat Unit.

The fake but convincing-looking emails appeal to a more security-minded banking customer: “You have received a new encrypted message or a secure message from [XYZ] Bank,” one of the email campaigns said, noting the bank has set up a secure email exchange for its customers as a way to allay privacy and security concerns.

Changeup Worm Growing
New Malware Targets Databases
Fake Certificates for Police Trojans
DNS Records Hacked

The message includes an infected attachment the “bank” requires for download and registration to the supposed secure email system. Once downloaded, it executes the pony downloader Trojan that installs Gameover and steals online banking credentials, credit card account numbers, and other information.

Another email campaign said the recipient received a fax, scan, or voicemail, and includes a “free program” for retrieving the message, but the attachment installs the malware.

These spam attacks come via the cybercrime Gameover group. Unlike some cybercrime groups, doesn’t lease or sell its malware or services. It’s a closed operation that sometimes contracts resources such as the Cutwail botnet to transport its attacks. More than half of the Top 20 Fortune 500 firms suffered infection with the Trojan as of this summer, said SecureWorks.

“This particular group has found a combination of malware, tactics, and procedures that leads to success for them. They will continue to follow the same process [of working this way],” said Jon Ramsey, CTO of Dell SecureWorks. “The malware they use is a private version of theirs, and they don’t sell it on the black market. They feel there’s more of an upside financially in keeping it private.”

Ramsey said the gang has had plenty of success creating large botnets for sending more malicious spam and conducting distributed denial-of-service attacks. They’re using a dual-botnet sort of model with Cutwail transporting the spam, and subsequently infected Gameover bots spreading their infections and doing the Gameover botnet operators’ bidding.

About 678,205 machines ended up infected with Gameover Zeus in August, according to SecureWorks, and it’s the biggest botnet targeting financial institutions today. Fourteen of the 20 top Fortune 500 firms suffered infections, including financial services firms, defense contractors, government agencies, law enforcement, military, and universities.

The peer-to-peer Gameover botnet was able to deter disruption and to make attribution more difficult. Even so, peer-to-peer botnets are easier to “poison” by using phony peers that allow researchers to sinkhole traffic, according to SecureWorks’ Brett Stone-Gross, who has closely studied Gameover.

“The P2P ZeuS crew receives considerable support from the products and services offered by the underground community, who collectively fulfill vital functions to plan and execute a large successful cybercriminal operation. Moreover, the large number of compromised personal computers and web servers provide a robust and low cost infrastructure for a variety of malicious activities,” said Stone-Gross.

Cutwail, one of the world’s largest botnets, to date contains around 500,000 or so bots, according to SecureWorks data.

Leave a Reply

You must be logged in to post a comment.